ico. 


information Commissioner's Office 


ICO consultation on the draft right of access 
guidance 


The right of access (known as subject access) is a fundamental right 
of the General Data Protection Regulation (GDPR). It allows 
individuals to find out what personal data is held about them and to 
obtain a copy of that data. Following on from our initial GDPR 
guidance on this right (published in April 2018), the ICO has now 
drafted more detailed guidance which explains in greater detail the 
rights that individuals have to access their personal data and the 
obligations on controllers. The draft guidance also explores the 
special rules involving certain categories of personal data, how to 
deal with requests involving the personal data of others, and the 
exemptions that are most likely to apply in practice when handling a 
request. 


We are running a consultation on the draft guidance to gather the views 
of stakeholders and the public. These views will inform the published 
version of the guidance by helping us to understand the areas where 
organisations are seeking further clarity, in particular taking into 
account their experiences in dealing with subject access requests since 
May 2018. 


If you would like further information about the consultation, please 


email SARguidance@ico.org.uk. 


Please send us your response by 17:00 on Wednesday 12 February 
2020. 


Privacy statement 


For this consultation, we will publish all responses received from 
organisations but we will remove any personal data before 
publication. We will not publish responses received from respondents 
who have indicated that they are an individual acting in a private 
Capacity (e.g. a member of the public). For more information about 
what we do with personal data see our privacy notice. 


Please note, your responses to this survey will be used to help us with 
our work on the right of access only. The information will not be used to 
consider any regulatory action, and you may respond anonymously 
should you wish. 


Please note that we are using the platform Snap Surveys to gather 
this information. Any data collected by Snap Surveys for ICO is 


stored on UK servers. You can read their Privacy Policy. 


Q1 Does the draft guidance cover the relevant issues about the right 
of access? 


Yes 
No 


Unsure/don’t know 


If no or unsure/don’t know, what other issues would you like to be 
covered in it? 


The Council considers that it may be useful for the Commissioner to provide clarity 
between the Right of Access and data sharing in relation to compliance with the six data 
protection principles. This is particularly in reference to an observation made by the 


Council later in this response concerning the exercise of rights on behalf of others. 


Q2 Does the draft guidance contain the right level of detail? 


X Yes 
No 


Unsure/don’t know 


If no or unsure/don't know, in what areas should there be more detail 
within the draft guidance? 


Q3 Does the draft guidance contain enough examples? 


Yes 
No 


Unsure/don’t know 


X 


If no or unsure/don’t know, please provide any examples that you 
think should be included in the draft guidance. 


The Council believes that it may be better to provide examples in relation to where a 
parent seeks to exercise the Right of Access on behalf of their child aged 12 or over. 


Q4 We have found that data protection professionals often struggle with applying and 
defining ‘manifestly unfounded or excessive’ subject access requests. We would 
like to include a wide range of examples from a variety of sectors to help you. 
Please provide some examples of manifestly unfounded and excessive requests 
below (if applicable). 


From experience, the Council puts forward the following circumstances would could be 
viewed as being “manifestly unfounded or excessive 
e where a data subject submits a new request for the same personal data which the 
Council has previously provided and the personal data has not changed or 
where it is clear that a requestor is seeking to use their rights under data 


protection laws for the purpose of harassing the controller or its employees into 
adopting a course of action sought by the requestor. It is suggested that this 
would be similar to a “vexatious” request under FOIA or FOISA where there has 
been extensive case law. 


Q5 On a scale of 1-5 how useful is the draft guidance? 


1 - Not at all 2 - Slightly 3 - Moderately 4 - Very useful 5 - Extremely 
useful useful useful useful 
0O 0O 0O L 


Q6 Why have you given this score? 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Disagree Neither agree nor Agree Strongly agree 
disagree disagree 
CJ 0O 0O L 


Q8 Please provide any further comments or suggestions you may have about the draft 
guidance. 


See attached note 


Q9 Are you answering as: 


O An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

O An individual acting in a professional capacity 

X On behalf of an organisation 

O Other 


Please specify the name of your organisation: 


South Lanarkshire Council 


What sector are you from: 


Local Government 


Q10 How did you find out about this survey? 


O ICO Twitter account 

ICO Facebook account 

ICO LinkedIn account 

ICO website 

ICO newsletter 

ICO staff member 

Colleague 

Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 


Det SMe Ten ed Ea eT des eas ea 


Thank you for taking the time to complete the survey. 


Attached Note to response by South Lanarkshire Council 


The Council welcomes the opportunity to comment upon the draft guidance prepared by the 
Commissioner and wishes the following comments to be considered as suggestions and not criticism of 
the guidance: 


Use of Social Media 

The guidance confirms that there is no restrictions on how data subjects may request to exercise their 
Right of Access. Existing Council Guidance takes most of these methods into account. However, the 
ICO has specifically mentioned the use of any social media as being a possible way to make the 
request. Whilst this is correct, the Guidance does not mention that to use this method is more likely to 
require proof of ID from the requestor as the Council does not use this method for communication 
with particular individuals and so is likely to be more limited in being able to satisfy itself on the 
identity of the requestor without proof of identity. This possibility is referred to by the ICO in relation 
to other forms of communication but not social media. It may be that the ICO should consider 
mentioning this possibility specifically in this section of the guidance. 


Third Party SARS 

The guidance explains how third parties can make SARS on behalf of a data subject through powers of 
attorney or guardianships or other court orders. The guidance, also, explains that a child aged 12 and 
above is deemed to have capacity to make a request in their own right. She explains in her guidance 
that upon gaining such capacity, a parent can exercise the right on behalf of the child if the child 
consents or “/f it is evident that this is in the best interests of the child”. It is suggested that the latter 
proposal in italics is inconsistent with the principle of all rights being exercised by the child. However, 
it would, however, be consistent with data sharing with parents in compliance with the data protection 
principles. It is suggested that the guidance should be confined to the powers of third parties to act on 
behalf of a data subject when legally authorized to do so. 


Clarification and the time to respond 

In terms of the ICO’s guidance, the period to respond does not stop or reset where the Council seeks 
“clarification”. This appears to present difficulties in responding as how could the Council respond if it 
does not know what information is being sought? Upon reading the context of the guidance, it looks 
like the Commissioner may be better to clarify the difference between where the information sought is 
unclear and where the information sought is large and the request narrowed. Clearly, in the latter 
case, the clock would still be running but not the former, revising the wording to clarify this would be 
helpful. 


The Applied GDPR 

The Applied GDPR applies to personal data held in an unstructured manner. The Council is permitted 
to refuse a request for information where it would exceed the maximum level of costs in terms of 
FOIA/FOISA. If it is intended that the calculation of limits be based upon either FOIA or FOISA, the 
guidance should refer to the different capped hourly rates in respect both pieces of legislation. 


Health records held by the Council 
This is a requirement that the Council must consult with a medical professional when considering 
disclosure of medical records. The ee ee 


however the-DPA 2018 states that the duty to provide-c omply with the Right of Access doesnot 
applies unless the Council has obtained an opinion from the appropriate healthy professional to the 
effect that the serious harm test is met with respect to that data. There is no indication that the dut 
to comply with the Right of Access including time limit of 1 month to respond is suspended during the 
period of consultation so far as the Council can see. This is very different from the position of the 
Principal Reporter. In that case, the DPA is clear that the duty does not apply e.g. the time limits for 
compliance do not run_unless the Principal Reporter has informed the Council that, in his/her opinion 
ihe serious harm test is not met with respect to the data. This reflects the position set down in 
previous legislation and the view has been taken that, unless a response is received from the 
appropriate health professional within the time limits, the Council would need to reach a view of its 
own in respect of the personal data and whether the serious harm test was met as the time limit still 
applied in relation to compliance with rights. ywherethe-medicatprefessienatstates_that theresa 


owever, the guidance seems to treat both scenarios in the same manner and states that the Council 
is restricted from providing the information unless the medical professional states that there would be 
o harm caused in doing so. However, this appears to be inconsistent with the DPA in relation to the 
time limit for responding. Whilst the Council welcomes the interpretation of the Commissioner in 
espect of suspending the compliance period while it consults with the appropriate medical 
professional it is unsure as to whether that is what is set down in the DPA. Fhisisapparenth— 
MESRA entandseotheCGomcisuggestsIt may be that the Commissioner may wish to reconsider the 
guidance provided on this topic. 


FOISA and the Right of Access 

The guidance sets down the expectations of the Commissioner in relation to dealing with requests for 
personal data that refer to FOIA/FOISA and similar legislation. The guidance clearly reflects the 
Commissioners joint role in relation to the interaction of these regimes for non-devolved public bodies 
and states that the Commissioner would not expect a request to be dealt with under FOIA where it is 
clearly a SAR. The Council is unsure whether the Scottish Information Commissioner would take the 
same view. It is understood that the SIC would expect a formal response to be issued under FOISA 
and similar legislation. It may be that the SIC has contributed to this section. If that is the case, it 
may be useful for the guidance to say so or for the SIC to issue his own guidance regarding what to 
do in those circumstances. 


